arm - role for enterprise application

Rotem ben hemo 6 Reputation points


I created an Enterprise application in the Azure Active Directory. I gave it manually Reader role under my subscription -> access control (Iam).

I am searching for a way to add more roles to the app using azure ARM (for automation).

in my search I found this:
"resources": [
"type": "Microsoft.Authorization/roleAssignments",
"apiVersion": "2018-09-01-preview",
"name": "[guid(some string)]",
"properties": {
"roleDefinitionId": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'roleId')]",
"principalId": "objectId"

when I give the "objectId" as a parameter (which I took manually from the portal) it works. and I see the new role under the subscription access control.

is there a way to get this objectId by some function of ARM? without getting the id as a parameter?

I read that I can use the function "[reference(resourceId()).principalId]" but I don't know which values I need to insert for my Enterprise application. I have app (client id), tenant id, subscription id, client secret. which provider do I need to give? ResourceType? I did not find any record about it.. does this function can be use for an Enterprise application?

I also tried to take the objectId using CLI comment: $(az ad sp show --id appId --query 'objectId'), and try to use it in the ARM with deploymentScripts - I created userAssignedIdentities for it and gave it contributor role but I am getting an error: Insufficient privileges to complete the operation...

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,147 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Saurabh Sharma 23,776 Reputation points Microsoft Employee

    Hi @Rotem ben hemo ,

    Thanks for using Microsoft Q&A !!
    It is unfortunately not possible to get service principal Id directly in ARM template. If the service principal is of a managed identity supported service then you can use Identity.principalId to refer to the same. So, if managed identity is of a VM then you can use something like below -
    "[reference(resourceId('Microsoft.Compute/virtualMachines', variables('vmName')),'2019-12-01', 'Full').identity.principalId]"
    Please refer to the documentation over here.

    Also, you can directly refer User Assigned Managed Identities in your ARM template by using resource type as 'Microsoft.ManagedIdentity/userAssignedIdentities' and explicitly mentioning principalType as "ServicePrincipal". Please refer to the documentation for details. Please let me know if you see any issues with this.